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WHAT IS CLAIMED IS: 




A\ method for updating a first version of a 
am operating at a network site, comprising: 
m response to an automated event, automatically 
downloading from aVemote site any update for the program; 

installing a downloaded update to generate a second 
version of the program;\and 

operating the seconaVersion of the program in place 
of the first version at the network site. 



2. The method of 
event is a timed event. 




im 1, wherein the automated 




The method of Claim 2, further comprising: 
aging the first version of the program; and 
wherein the timeoyevent is the first version reaching 
a specified age. 
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4. The method of CYaim 3, wherein the specified age 
is less than or equal to /cW&nty-four hours 



5. The method of Clai\ti 2, wherein the timed event 
occurs at least once a day. 
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The Method of Claim 1, the act of automatically 
downloading from^he remote site any update for the program 
comprising : 

automatically ^Jsonnecting to the remote site in 
response to the automated event; 

automatically determining whether the remote site 
includes an update for the\rogram; and 

in response to the remote site including an update, 
automatically downloading the update from the remote site. 
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^]/3. The method of Claim y2., further comprising: 

receiving a recovery event at one of the network 
sites; 

automatically restoring the first version of the 
program at the network site at which the recovery event was 
received; 

broadcasting a recovery message from the network site 
over the network; and 

automatically restoring the first version of the 
program at each of the remaining network sites operating 
the second version of the program. 

14. The method of ClajfmvL, wherein the program is a 
set of intrusion detection Ns-ignatures for an intrusion 
detection sensor. 
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15. The method of Claim 1, wherein the remote site is 
fn Internet web page. 
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2ZK An intrusion detection sy/stem, comprising: 



~ private network including / a plurality of sites 
connected to a public network, each site including an 
intrusion detection sensor operating with a first set of 
intrusion detection signatures; and 

each of the intrusion detec/tion sensors operable to 
automatically download from a remote site any update for 
the intrusion detection signatures in response to a 
specified event, to install a downloaded update to generate 
a second set of intrusion detection signatures, to operate 
with the second set of intrusion detection signatures, and 
to distribute the downloaded update to the remaining 
intrusion detection sensors fo:: installation. 
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. The system of Claim 
event is an automated event. 



wherein the specified 




The system of Claim 
event is a timed event. 



wherein the automated 
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7. The method of\ Claim 1, further comprising 
downloading the update \in an encrypted format and 
decrypting the downloaded /opdate prior to installation. 
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8. The method of OpTaim 1, further comprising 
authenticating the downloaded ^update prior to installation, 

£ method of Claim 1, further comprising; 
after installation of the downloaded update, 
determining whether the second version of the program is 
operating correcuiy; and 

in response iSsp incorrect operation of the second 
version, restoring ttie first version of the program for 
operation at the network site. 

10. The method of Cl\im 1, further comprising: 
distributing the downloaded update to a disparate 
network site operating the first version of the program; 

installing the down loadecK update to generate the 
second version of the program ai\ the disparate network 
site; and 

operating the second version of \he program in place 
of the first version at the disparate network site. 
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11. \The method of Claim 1, further comprising: 
after\ installation of the downloaded update, 
determining ^whether the second version of the program is 
operating correctly at the network site; 

in response to incorrect operation of the second 
version, restoring the first version of the program for 
operation at the network site; and 

in response to\correct operation of the second version 
at the network site; 

distributing the downloaded update to a disparate 
network site operating\ the first version of the program; 

installing thev downloaded update to generate the 
second version of the program at the disparate network 
site; and 

operating the se6ond version of the program in 
place of the first version a\ the disparate network site, 



12. The method of Claim i, further comprising: 
broadcasting over a network an. update message; 
20 receiving in response to thev update message a request 

for the downloaded update from >each of a plurality of 
disparate network sites operating ufte first version of the 
program; 

distributing the downloaded update to the disparate 
25 network sites requesting the downloaded update; 

installing the downloaded update to generate the 
second version of the program at eacl\ of the disparate 
network sites; and 

operating the second version of the\program in place 
30 of the first version at each of the disparate network 

sites . 
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.6. A method for Automatically updating an intrusion 
detection system having a plurality of distributed 
intrusion detection sensors each operating with a first set 
of intrusion detection signatures, comprising: 

m response to a\ specified event, automatically 
downloading from a remotej site any update for the intrusion 
detection signatures ; 

distributing a downloaded update to each sensor; 
installing the downloaded update to generate a second 
set of intrusion detection signatures for each sensor; and 
operating each sensor \with the second set of intrusion 
detection signatures 
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17. The method of 
event is a timed event. 



\Claim 16, wherein the specified 



18. The method of Claim 17, further comprising: 
aging the first set of intrusion detection signatures; 



and 



20 wherein the timed event is the first set of intrusion 

detection signatures reaching a specified age. 
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19. The method of Claim 18,\ wherein the specified age 
is less than or equal to twenty- tour hours. 

20. The method of Claim 17, \ wherein the timed event 
occurs at least once a day. 
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21. The method of Claim 16, the act of automatically 
downloading from the remope site any update for the program 
comprising : 

automatically connecting to the remote site in 
response to the timed event 

automatically determining whether the remote site 
includes an update for the^ j\ntrijsion detection signatures; 
and 

in response to the remdlte site including an update, 
automatically downloading the \update from the remote site, 



